Questions regarding migration from OpenWRT to NethSecurity

Hello,

I apologize for my poor English, but I am using an electronic translator.

My home setup is 2 routers, one real and one virtual with OpenWRT.

The physical router has a bond and four VLANs, one for the home network, one for the untrusted network, and each provider in a separate VLAN. The virtual router is only eth0 and the described VLANs.

I have two Internet providers. One is DHCP and one has static settings. I use mwan3 in balanced mode. Since I have separate hosts that need to “exit” from a specific provider

• I use keepalived + contractd to determine which is the primary and which is the secondary router, using an external script. When it is secondary, it removes the VLANs and the following services: dnsmasq, odhcpd, mwan3, then performs static routing and manually assigns a nameserver.

• I have nginx that reverse proxies hosts to the internet.

• In addition, I have snmpd, smtr (postfix, email notification) and other small ones.

• For backup, I make a backup with a script and send it via tftp to another server.

I downloaded and launched NethSecurity, but for one provider, I need to assign/enter a MAC address.

I receive SSL certificates through Cloudflare, and the certificate is a wildcard.

In the future, I plan to launch OpenVPN or WireGuard, which will work through both providers.

The question is, can this be configured on NethSecurity?

I guess I’ll have to configure HA + web-based control panel?

Best regards,

A. Hristov

Hi,

welcome to NethServer community.

High availability is a new feature, see NethSecurity project milestone 8.6 : High availability, Wizard setup, FlashStart ProPlus, persistent logs and High Availability (Beta) — NethSecurity documentation and for more detailed info High Availability Firewall | NethSecurity

From the manual:

VLANs are supported only on physical interfaces.

So I’m not sure if your VLAN configuration is supported.

Bonds and VLANs are configurable, see Network interfaces — NethSecurity documentation

MultiWAN balanced mode is supported, see MultiWAN — NethSecurity documentation

Nginx is used as reverse proxy on NethSec, see Certificates and reverse proxy — NethSecurity documentation

As regards SNMP, see SNMP Server — NethSecurity documentation

Backup can be downloaded or there’s a cloud backup with subscription.

Uploading certificates should be possible, see Certificates and reverse proxy — NethSecurity documentation

OpenVPN Roadwarrior: OpenVPN Road Warrior — NethSecurity documentation

Wireguard VPN: WireGuard VPN — NethSecurity documentation

Yes, usually the whole configuration is done via the web interface except of new features that need some configuration steps on CLI.

You can find it in the advanced setting when creating/editing an interface.

grafik1073×520 25.9 KB

Hello,

Thank you for your reply. I am responding a little late, as I did not see the notification that I had a reply to my topic.

Regarding the MAC address, perhaps I did not express myself correctly. I need to change the MAC address on one interface. I tried adding it manually in /etc/config/network, in the interface section. Then, to be sure, I restarted. But it had no effect. Then I executed the following commands:

uci set network.net1_test.macaddr=‘00:11:22:33:44:55’

uci commit network

ifdown net1_test && ifup net1_test

This also had no effect. I guess I’m doing something wrong, but I don’t understand what.

I have now set up a test environment to see how it works

• which packages should not be downloaded from the openwrt repositories; in this case, I downloaded and installed nano-full, bmon, and htop.

• to what extent it is not recommended to configure manually, but to use the web instead

Best regards,

Hi @a.hristow ,

sorry, I thought it works using the client ID.

The only way I found to change the MAC is to use ifconfig in /etc/rc.local to change it on boot.

Edit /etc/rc.local and add following ifconfig lines:

ifconfig eth2 down
ifconfig eth2 hw ether 00:11:22:33:44:55
ifconfig eth2 up
exit 0

You can download any package but there could be issues during system updates when external repos are active so I’d recommend to just install the needed packages and disable the repos again by commenting them out in /etc/opkg/customfeeds.conf

One of the advantages of NethSecurity compared to OpenWRT is the easy-to-use web interface but it’s also possible to configure via CLI.
If a feature is supported in NethSecurity you should use it, if it’s not supported you could install/configure it manually. Just to avoid configuration conflicts between NethSec and OpenWRT.

Hi, @mrmarkuz

I will try to tell you what I encountered during the configuration of NethSecurity. This is a personal opinion and I do not obligate anyone, I just share experience and knowledge
In fact, the project won me over by the fact that they have united in one finished product: OpenVPN, Snort, Netdata and others. Quite functional and clean, and last but not least, beautiful.
But, what impressed me personally is the general Ha + control panel. If I manage to configure everything else, I will test this too. Currently I use keepalived + contractd, but… every change on one router, I have to do manually on the other router.

Thanks for the suggestion for rc.local. It works.
I will make some suggestions for people who read the topic.
The ifconfig command (useful and my favorite :)) is already outdated for most distributions and it is not known when it will be removed from OpenWRT and accordingly it may disappear here:
What I did, I added is:

ip link set dev eth2 down
ip link set dev eth2 address AA:BB:CC:DD:EE:FF
ip link set dev eth2 up

Although the change is not visible on the Web, it works. The router from which NethSecurity provides internet reported that there is a new MAC address and provided a new IP address.

Thanks for the reminder about /etc/opkg/customfeeds.conf, it saved me time downloading each and every packer. Also thanks for the important clarification that later I have to comment on the repo.

At the beginning I mentioned that one of the routers has two interfaces. It has a bond and a vlan on top. Configuration-wise it works.
I have ordered a new micro server. I will only use Proxmox and the main router on top. If you are interested, I can see if it will work in a real situation.

While studying NethSecurity, on my current router I saw that I have an overflow of nf_conntrack_max, the default value is 65536.
In many places on the Internet, when the error ‘nf_conntrack: table full, dropping packets’ appears, they say to change net.netfilter.nf_conntrack_max.
But with the change of net.netfilter.nf_conntrack_max, net.netfilter.nf_conntrack_buckets must also be changed.
As net.netfilter.nf_conntrack_buckets is obtained by dividing net.netfilter.nf_conntrack_max by 2 or 4 or 8.
The tricky part is choosing how many to divide, the larger the divisor, the more RAM and CPU are needed.
In the case of NethSecurity, I have set in /etc/sysctl.d/11-nf-conntrack.conf - net.netfilter.nf_conntrack_max=2097152.
I have chosen 8 and accordingly net.netfilter.nf_conntrack_buckets=262144.
The allocated resource for NethSecurity is 4 cores and 8GB RAM.
And one clarification (if memory serves me correctly) /sys/module/nf_conntrack/parameters/hashsize is responsible for net.netfilter.nf_conntrack_buckets.
net.netfilter.nf_conntrack_max=65536, is a value inherited from many years and perhaps, by default, it would be good to have at least two.

Another interesting case that I encountered is related to the following situation. As I mentioned, I have 2 providers and for each provider I have a Ripe sample for the quality of the internet.
In a MultiWan configuration, for each sample I need to create a Policy for each provider ISP-A and ISP-B. But in the menu there are only Balance, Backup and Custom (3+ Gateways).
And this (3+ Gateways) confused me at first because it is a bit misleading, and in reality I can create a Policy with only one GW. It would be nice to add either in the tooltip or in the documentation that it can be done with only one GW.

Another point where I showed a little creativity is Rules. When adding a new entry, it turned out that the Hostname field is only 12 characters.
But manually correcting the config via console and observing the syntax solved the problem. I hope that in the future there will be no problem with this

Another thing that at one point bothered me. When entering keys, a field appears that requires a password. It would be useful to specify that this is the password for the account you log in to the web.
After all, SSH keys also have passwords and it took me a while to remember that I need to enter the password for the user for web access. But the idea is good.

• I also have a question, is there a way to activate sftp on dropbear or will I have to replace dropbear with sshd?

Certificates - here I had an interesting case. I use a wildcard certificate issued by letsencrypt, but it is only active for 3 months, after which it must be reissued and copied to all my servers again.
Until now, I have an old machine that takes care of this. As far as I read the documentation, I didn’t understand if there was a way to upload the certificate via console, so I did the following.

1. I uploaded an older version of the certificate via web (Certificate+Private key+Chain file), the system reported that it was invalid.
2. I copied only Certificate + Private key to the /etc/nginx/custom_certs/ directory via console. And I now have an active certificate.
   It is important that the names of the new files are the same as the old ones.
   I think that after each copy, nginx must be restarted to load the new certificates.

I have another question:
Subscription - Under the download link, there is a field for entering an email address. I tried with email, but nothing showed up. Can I use NethSecurity without Subscription?

It turned out to be a bit long as a text to read, for which I apologize (professional distortion from work to explain in detail )

The filed is for our newsletter with updates

This is the subscription page, you can register there

Hi, @alefattorini

Thanks,
From the link you shared “Subscription - Nethsecurity” redirects me to the price list.
At the end of the column “Community For tech enthusiasts”. There is a button that redirects me to Download.
I am currently at the stage of whether I can transfer the configuration from the current OpenWRT to nethsecurity.

In this case, the more correct question (my mistake for not expressing it better), if I do not have Subscription, will it interfere with the setup of any of the modules in the router?

Hello! Thank you for trying NethSecurity!

Weird, we get the value directly from the OS if I recall correctly.

As I read, you definitely use the system in a power user way
NethSec will keep these changes even with an image update, you can customize that section however you like.

We can remove the +3 label, I agree on what you’ve experienced. It’s a custom, if you know what you are doing, you pick that, other users will just leave a balance/backup configuration.

Do you mean the name? It’s limited to 12 otherwise nftables will break and the rule won’t work if I recall correctly. This however has been set when the firewall came out, maybe they addressed the issue?

Nice observation, will address this.

Sftp is not supported by dropbear: Making sure you're not a bot!
However, I had no issues with latest versions using scp, that will be converted to sftp by openssh-sftp-server, that is installed in the system.

You can indeed ask for a wildcard certificate with the system: Certificates and reverse proxy — NethSecurity documentation

You can even copy the certificate as you do, don’t think will be an issue.

Project will be always 100% open source, some limitations are applied, but I don’t think that will affect you. We have some commercial limitations on some section of the software (such as less DPI applications to filter or the offsite nightly backups hosted on our server)

Great, thanks

Yes, it works, probably at the beginning I confused something.

Yes, I mean the Rule names. I’ll take into account what you said. But the following problem appeared for me :). If I make up short names, after a few months I won’t remember what means what :), I don’t know if it’s possible to add comments to this. I don’t have that much experience with uci and its syntax.

Maybe the hint should be (Single or 3+ Gateways)

Let me continue with my experience migrating from OpenWRT to NethSec
I reached the section: Reverse proxy
Here there are 2 things that I will change for myself.

1. additionally I add http2 in /etc/config/nginx.d/host.conf.
   In your case as options in the line of /etc/config/nginx from list listen '443 ssl' to list listen '443 http2 ssl' , as the same applies for IPv6. The effect is slightly reducing the loading time of websites behind nginx, as this is only for the Reverse proxy created by me.
2. To make a symlink from /etc/nginx/uci.conf to /etc/nginx/nginx.conf, it’s convenient when you need to check if what you added in the nginx console is correctly configured with nginx -t.

When I need to put an IP or network in Allowed networks, it would be convenient to have a comment about who it belongs to. Usually I think that on the same line or on the next line I put in the conf file with # This is for ....

DNS and DHCP
It took me some time to find where through the web to add the dnsmasq parameters, but I started getting used to the system and logic.
What I’m missing, which might be a bit strange for you, is the option list rebind_domain = 'domain.com'
This is a parameter that I added manually in the console.
After that I made changes through the web and what I added through the console didn’t disappear
The other case I don’t know how to properly handle is the following. In the network I have pxe boot + tftp. It saves me time from constantly looking for usb flash drives
For now I have 2 solutions
in the section config dnsmasq to add this line:

option dhcp_boot 'pxelinux.0,pxe,192.168.22.7'

or to add this section:

config boot  
       option filename 'pxelinux.0'  
       option servername 'msrv'  
       option serveraddress '192.168.22.7'  
       list dhcp_option 'option:root-path,192.168.22.7:/'

As found in the OpenWRT documentation
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#tftp_boot
Both methods work. I would ask, if you have tested, to recommend which variant is a bit safer.

I told a friend about Nethsec and we wondered how to check what will be preserved and what won’t during a system upgrade, looking in the console, I came across the ns-upgrade command :). It works great, but I learned several things:

1. I found where I can easily see what I installed as packages :), after upgrade - in the file /etc/backup/installed_packages.txt
2. in /root/ there were some local console configurations (I have a habit of working in console) and they disappeared.
3. What I had added as a solution for net.netfilter.nf_conntrack_max in /etc/sysctl.d/11-nf-conntrack.conf disappeared.
   Do you have a file where you describe what should be archived?
   I still don’t have backup configured and maybe that’s the problem.

Regarding MultiWan, I thought about what would be convenient for me (not only for MultiWAN, but in general), how I would do it for myself. If the image has internal documentation, and a direct link to the web of the internal documentation is the easy solution. You don’t need internet while configuring. But this is quite a lot of work, until it’s done and built as architecture/structure and then becomes an installation package.

So far, the migration is going very well, I’m encountering minor issues, but overall I’m finding solutions

Probably now we can, this section of the firewall was one of the firsts, and along the trip we actually learned a lot of the system, this can probably be implemented, no ETA for now tho

If after an /etc/init.d/nginx restart everything is in place, you should be good, however be careful since it’s not what the nginx package had in mind (we just forked it)

The nginx package allows only a list, like so: uci add_list nginx.ns_6d670907.allow='1.1.1.1/24', no space for comments sadly

Haven’t played around much with this nginx config, this could be a nice to have.

We try to keep the custom settings untouched when using the UI, sometimes we miss stuff, so please open a discussion or an issue on GitHub so we can plan some changes!

I’d suggest using the full configuration, so that the UI won’t touch that

As per openwrt, the list of the files kept is inside the /etc/sysupgrade.conf file and inside the /lib/upgrade/keep.d/* directory.

While /lib/upgrade/keep.d/ is managed by opkg and the packages installed in the system, you can add custom entries in the /etc/sysupgrade.conf freely.

To check which files are being saved through backup/flashes: sysupgrade -l

This is actually a good advice, might be useful. The documentation is just a rendered webpage, to be able to pick that up and throw that inside the image might be useful in some scenarios. In the meantime if you need offline doc you can download that through the docs website, right down in the webpage: docs.nethsecurity.org

This is the perfect solution for me. I will test it these days.

I am currently reading the documentation for ha, I implemented it, but due to a peculiarity in my case, that I cannot have active WAN interfaces on both routers. I have a solution for this for myself that I am currently using on OpenWRT, but there are still things that are not clear to me how they work with you, and I will read before asking.

Hello everyone

Today or tomorrow, the hardware I have planned for the first/main router will arrive, and I will need to pay attention to it.
As a result, this will delay my attempt to replace OpenWRT with Nethsec.